AI Security Review
scanned 14h ago · by lpm-firewall-aiInstalling the package modifies the consumer repository by adding a GitHub Actions workflow. On later pushes, that workflow collects repository identity and transmits it to a hard-coded external registry.
Decision evidence
public snapshot- `package.json` runs `node bin/postinstall.cjs` on install.
- `bin/postinstall.cjs` silently creates `.github/workflows/sync-package-registry.yml` in the consuming project.
- The generated workflow persists on `push` and `workflow_dispatch`.
- That workflow reads repository identity with `GITHUB_TOKEN` and POSTs owner, repo, and repoId to a hard-coded third-party registry.
- The install hook requires no explicit setup command or user confirmation.
- `bin/postinstall.cjs` does not send `GITHUB_TOKEN` to the external registry.
- `dist/lystech-core-provider.es.js` network code is application-facing Axios/Firebase usage, not install-time harvesting.
- No package source inspected executes remote code or overwrites existing workflow files.
Source & flagged code
10 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgSource appears to send environment or credential material to an external endpoint.
dist/lystech-core-provider.umd.jsView on unpkg · L16A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/lystech-core-provider.umd.jsView on unpkg · L16Package contains a high-severity secret pattern.
dist/lystech-core-provider.umd.jsView on unpkg · L1727Google API key in dist/lystech-core-provider.umd.js
dist/lystech-core-provider.umd.jsView on unpkg · L1727Package contains source files above the static scanner size ceiling.
dist/lystech-core-provider.es.jsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
bin/attach.cjsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
bin/postinstall.cjsView on unpkgSource file is highly similar to a previously finalized malicious package; route for source-aware review.
bin/setup-registry.cjsView on unpkg